F9: How to remove a permanent SSL user/client certificate?
Daniel B. Thurman
dant at cdkkt.com
Sat May 9 01:39:14 UTC 2009
Craig White wrote:
> On Fri, 2009-05-08 at 17:44 -0700, Daniel B. Thurman wrote:
>
>> Sorry, I have looked on the Internet and have not
>> figured out how to get rid of a permanent client/user
>> certificate. I am testing my Apache/SVN/SSL with
>> a self-signed certificate and choose the permanent
>> option, and I'd like to remove it for further testing.
>>
> ----
> remove from what?
>
> from server, you have a crl (certificate revocation list)
>
> from client, depends how/where you installed it
>
> Craig
>
I was trying to setup and test my Apache/SVN/SSL setup, and
I have for /etc/httpd/conf.d/subversion.conf:
<VirtualHost 127.0.0.1:80>
ServerName gold.cdkkt.com
Redirect / https://gold.cdkkt.com/
</VirtualHost>
<VirtualHost gold.cdkkt.com:443>
#<Directory "/svn/svn">
# Order allow,deny
# Allow from 127.0.0 10.0.0
#</Directory>
ServerName gold.cdkkt.com
ServerAdmin admin at cdkkt.com
CustomLog /svn/svn/Admin/logs/access.log combined
ErrorLog /svn/svn/Admin/logs/error.log
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
<Location /svn>
AuthName "Subversion Repository"
DAV svn
SVNParentPath /svn/svn
AuthUserFile /svn/svn/Admin/apache/auth
AuthzSVNAccessFile /svn/svn/Admin/apache/authz
#<LimitExcept GET PROPFIND OPTIONS REPORT>
# Order deny,allow
# Deny from all
# allow from 127.0.0 10.1.0.0/24
#</LimitExcept>
AuthType Basic
Require valid-user
#Satisfy any
</Location>
</VirtualHost>
And while I was testing, on the command line such as:
# svn list https://gold.cdkkt.com/svn/svn1
I was prompted to choose Reject, Temporary, or Permanent
and I choose "p", and it moved on to asking for an SVN password,
accepting it, and I got my SVN repository list.
==============================================
$ svn list https://gold.cdkkt.com/svn/svn1
Error validating server certificate for 'https://gold.cdkkt.com:443':
- The certificate is not issued by a trusted authority. Use the
fingerprint to validate the certificate manually!
Certificate information:
- Hostname: gold.cdkkt.com
- Valid: from Fri, 08 May 2009 19:41:42 GMT until Mon, 06 May 2019
19:41:42 GMT
- Issuer: Software Consultant, DBT And Associates, Beaverton, Oregon, US
- Fingerprint: 6f:8c:46:d3:71:e4:27:b8:3b:78:1c:d5:37:8d:9c:87:68:e0:98:88
(R)eject, accept (t)emporarily or accept (p)ermanently? p
Authentication realm: <https://gold.cdkkt.com:443> Subversion Repository
@ Gold.cdkkt.com
Password for 'dant':
branches/
tags/
trunk/
==============================================
The next time I ran this above command line again, I somehow
got an error:
===============================================
$svn list https://gold.cdkkt.com/svn/svn1
Error validating server certificate for 'https://gold.cdkkt.com:443':
- The certificate is not issued by a trusted authority. Use the
fingerprint to validate the certificate manually!
Certificate information:
- Hostname: gold.cdkkt.com
- Valid: from Fri, 08 May 2009 19:41:42 GMT until Mon, 06 May 2019
19:41:42 GMT
- Issuer: Software Consultant, DBT And Associates, Beaverton, Oregon, US
- Fingerprint: 6f:8c:46:d3:71:e4:27:b8:3b:78:1c:d5:37:8d:9c:87:68:e0:98:88
(R)eject, accept (t)emporarily or accept (p)ermanently? p
svn: PROPFIND request failed on '/svn/svn1'
svn: PROPFIND of '/svn/svn1': 403 Forbidden (https://gold.cdkkt.com)
===============================================
I am trying to understand what is going on: (1) why am I still getting
prompted to choose the certificate (I thought is was permanent),
and (2) no longer asked for the SVN password. It is quite possible
for (2), I screwed up the subversion.conf settings but can't quite
find the problem.
What is odd is, that if I uncomment `#Satisfy any' line, run the same
exact command as above, I don't get asked to verify the certs, don't
get requested for the SVN password, and immediately get the the
SVN listing.
I did find some things in:
~/.subversion directory under the `auth' directories, and removed
what I *think* where the certs were saved, but I cannot be certain,
even so, nothing has changed.
So, if the certificate was supposedly saved somewhere, where should
it be located? I checked the Keyrings, Browser-security - nothing.
Dan
More information about the fedora-list
mailing list